Clinical Researcher—March 2018 (Volume 32, Issue 3)
James Michael Causey; Gary W. Cramer
Whether it’s via data posted to Facebook, Instagram, or LinkedIn, or shared through e-mails or electronic personal profiles filled out with service providers, clubs, networking venues, or employers, never have so many freely offered up so much information about themselves as they do now through social media and other online platforms.
We can celebrate the birth of a child online, turn others on to a new vacation spot, or share a new culinary discovery while multitasking online at carrying out office duties and job searches, following entertainment sites and hobbies, and purchasing everything under the sun through sites that all want demographic insights into our behaviors as part of the price to pay for access. Others get even more personal, for instance by sharing in-depth details about their health on platforms devoted to patient advocacy for a range of medical conditions and concerns.
Shouldn’t we be worried about who can view all (or any) of our personal data, and under what circumstances?
“My U.S. Mail and electronic mail are filled with promises of confidentiality about credit cards, bank accounts, health records, etc.,” says Jerry Stein, president and owner of Summer Creek Consulting, LLC, which services clinical trial sponsors and sites. “A fire hose volume of 6-point font agreements flood over me. At the same time, files containing confidential records are continually being invaded by Internet pirates. I have had to freeze my credit records at the three major providers. My experience is not unique.”
Yet while Americans, especially those under 30, are increasingly comfortable giving others a window on their world, reported data breaches in healthcare risk giving potential clinical trial subjects pause when considering participating in a trial.
A few recent examples:
- In February, Partners HealthCare revealed its computer network was breached in May 2017, potentially exposing the private information of 2,600 patients.
- Medical Oncology Hematology Consultants was hit by a cyberattack last June. Officials said the hackers targeted certain electronic files on the provider’s server and workstations.
- While Augusta University Medical Center officials say less than 1% of patients were impacted by a 2017 breach, it was the second time the organization had been hit with a successful phishing attack within the last year.
- Arkansas Oral Facial Surgery Center was hit by a cyberattack last July that shut the organization out of files, medical images, and details of patient visits. An investigation found that while quickly detected, the virus used in the attack encrypted X-ray images, files, and documents of patients who had visited the provider within three weeks prior to the incident.
While clinical trials weren’t impacted in all of these examples, a security black eye for healthcare records of any sort can contribute to the concerns of patients who are considering participating in studies. It’s not just that potential participants don’t want demographic information and personal identifiers to leak out that may allow others to pretend to be them. Many likely worry as much, if not more, about the ramifications of their medical histories and their personal results from studies being broadcast to anyone with the power to make prejudiced decisions affecting their well-being based on such information, however it was gained.
“I doubt that the clear majority of potential research subjects believe that their personal health information will be adequately protected,” says Stein.
It’s up to industry to do more to gain patients’ trust, experts say. “The process of signing [Health Information Portability and Accountability Act (HIPAA)] and confidentiality agreements within informed consent forms are pro forma exercises [that] may meet international and institutional standards, but there are significant research subject perception issues and enforcement challenges,” Stein says.
There’s no one-size-fits-all when it comes to protecting sensitive patient health information. However, there are some ways to prevent or mitigate a breach.
“Move quickly to secure your systems and fix vulnerabilities that may have caused the breach,” advises the Federal Trade Commission in its “Data Breach Response: A Guide for Business.” It suggests the following steps:
- Assemble a team of experts to conduct a comprehensive breach response. Depending on the size of the company, it might include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management. Identify a data forensics team. Consult with legal counsel.
- Secure physical areas potentially related to the breach. Lock them and change access codes, if needed. Ask forensics experts and law enforcement when it is reasonable to resume regular operations.
- Stop additional data loss. Take all affected equipment offline immediately. However, don’t turn machines off until forensics experts are able to examine them. Never destroy evidence.
If files containing sensitive patient information must be transferred by e-mail, mechanisms to encrypt them and to ensure that password strength is high are necessary. More sophisticated collaboration tools are required to allow file sharing without password sharing.
When sharing files containing anything defined officially in HIPAA as protected health information (PHI) in the context of clinical trials, it is critical to encrypt all PHI. However, such a practice does not provide much protection if the passwords are weak or if the passwords are widely shared. One recent study in healthcare settings indicated that the passwords being used were not strong and could be compromised using a commercial password recovery tool, and that some file-sharing practices used in clinical trials promote the wide sharing of passwords among study staff.
These results suggest that stronger oversight is needed on the transfer of health information in the context of clinical trials, and better training and enforcement (technical and procedural) of good security practices.
While not always viewed as early adopters when it comes to technology, a 2017 survey conducted by Veeva found contract research organizations (CROs) utilize more clinical applications than sponsors to manage their trial processes, with 50% of CROs using five applications or more compared to 38% of sponsors. Among all clinical applications, electronic data capture (86%) is the most commonly used among CROs, followed by electronic trial master files (eTMFs) (62%).
CROs are modernizing their clinical environments at an accelerated pace compared to sponsors. More CROs (42%) use a purpose-built eTMF application versus sponsors (31%), and a third (32%) of CROs are adopting study start-up applications faster, compared to only 9% of sponsors.
In such a high-tech data environment, “Certainly, the best way to prevent a breach is to have strong technical and operational controls in place,” says Veeva’s Senior Counsel and Data Privacy Officer, Ashley Slavik. “In the privacy world, we often talk about breach as not if it will happen, but when. You certainly need to be prepared, as an organization, to manage an eventual data breach, but obviously when you’re talking about identifiable personal health information, that would be something that’s extremely sensitive. You have to approach it both from a prevention standpoint and a mitigation standpoint.”
Slavik warns that “you can’t just go into it without thinking about how you would manage [such] data.”
Slavik is a big fan of moving data to the Cloud as a means of better preventing or mitigating dangerous breaches. It provides a number of useful tools. For example, “When anyone is logging into a document, and [performing] any activity on that document, you would see who had done it and at what time,” Slavik says. “You also have the IP address and anything that they changed, so you could see if the file was downloaded, for example, or submitted or something like that…then you could identify if there was a breach in the system.”
Resources for Further Reading
Department of Health and Human Services, Office for Civil Rights. 2003. Summary of the HIPAA Privacy Rule. www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
Fahy D, Nisbet MC. 2013. Debating bioethics openly. The Scientist https://www.the-scientist.com/?articles.view/articleNo/36098/title/Debating-Bioethics-Openly/
Institute of Medicine (U.S.) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (D.C.): National Academies Press. www.ncbi.nlm.nih.gov/books/NBK9578/
McGraw D, Greene SM, Miner CS, Staman KL, Welch MJ, Rubel A. 2015. Privacy and confidentiality in pragmatic clinical trials. Clin Trials 12(5):520–9. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4702499/
Posting ‘anonymized’ research data may pose threats to patient privacy. 2016. (Newswise press release/Anesthesia & Analgesia) www.newswise.com/articles/view/653602/?sc=mwhp
Survey: HIPAA Privacy Rule slows scientific discovery and adds cost to research. 2007. (EurekAlert! press release/University of Pittsburgh) www.eurekalert.org/pub_releases/2007-11/uops-hpr110807.php
TransCelerate recommends approach for protecting personal data in clinical study reports. 2014. (PR Newswire press release/TransCelerate BioPharma Inc.) www.prnewswire.com/news-releases/transcelerate-biopharma-inc-releases-recommended-approach-for-protecting-personal-data-in-clinical-study-reports-273554091.html
James Michael Causey (email@example.com) is Editor-in-Chief for ACRP.
Gary W. Cramer (firstname.lastname@example.org) is Managing Editor for ACRP.